Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to exclude fields from LinearRegression command/use subsearch to generate fields for LinearRergession ?

achervov
Engager
‎07-25-2018 03:03 AM

Consider fit LinearRegression
| fit LinearRegression "name2predict" from "f1" "f2" into "test_model"

Question 0
What are flexebilities defining the FEATURE LIST -- i.e. from "f1" "f2" ?

SubQuestion 1
Is it possible to write something like
NOT "f1" - exclude "f1"
or something like f1* OR f2*
etc ?

SubQuestion 2 Can we use somehow subsearch to generate fields list ?

If no simple way to do it what are some ways round ?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎07-25-2018 08:41 AM

If you wanted to exclude f1 then you should not include it as your explanatory field.. Why would you want to choose f1 OR f2? Why not just include both and let the machine determine which feature to put emphasis on? You can run | summary <model_name> to identify how much impact each feature has on the target function.

Why do you mean using a sub-search to generate a fields list? Are you referring to making the data available so you can fit your model? If so, then you can use whatever you want just as long as the data is available before the fit command. One thing to consider though is speed and scale. You need to make sure your search is fast so it can run on a consistent basis so the machine can keep learning and adapting

0 Karma
Reply

achervov
Engager
‎07-25-2018 11:43 PM

To make explicit description of fields names is very inconvenient in my case, because that names can be changed. I want to exclude very specific name like "_time" , but I do not want to exclude by previous "field - _time" command, because then it will dispappear from the whole pipiline, so it would be impossible to plot by next command "table _time, error". By using subsearch I mean something like [ | mcatalog | return ??? ] put such expression instead of explicit fields list.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...